The basis of the role and responsibility of the internal audit function is derived from the internal audit charter. Once the groundwork is laid, it is quite expansive. Internal audit has various roles to play at strategic and operational levels in an organization.

Role And Responsibility Of The Internal Audit Function

At a strategic level, the internal audit function must understand:

• what the organization does and how its functions interact to achieve its strategic objectives,
• how the organization is changing due to the influences of internal and external forces and how change affects the internal auditing activity, and
• how the organization is responding to its mission, strategy, environment, structure, stakeholder needs, and the status of ethics and governance in the organization.  

Keeping in view the aforementioned factors, the following eight dimensions can be taken as key roles of the internal audit function at the strategic level: 

Initiate, Manage, Be a Change Catalyst, and Cope with Change

Change is the only thing that is constant in the universe. It is a reality for every organization from giant multinationals to the simplest of organizations. While change can galvanize an organization and result in successful growth and achievements, change can also pose great risks.

The role of internal auditing is to support and facilitate strategic change while simultaneously identifying the potential for risks associated with change and to propose effective controls for those risks.

Change can happen during an engagement when the internal auditing activity suggests new controls or better application of existing controls. It can happen in the internal audit function itself as changes in strategic plans require other priorities, skills, or changes in process targeted at enhancing effectiveness. Change may also come externally—from new or existing regulations.

Whatever the source of change, how individuals and groups react to change is often similar. They can feel intimidated by changes, dubious of the causes for change, and burdened by the requirement to dedicate valuable time learning new processes. Within an organization, productivity and morale may decline.

These reactions to change are natural, but their negative outcomes can be controlled by anticipating and managing them. Auditors are supposed to have, or be equipped with, the following:

• Emotional intelligence: This is an ability to understand and respect others’ perspectives, accurately perceive their emotions, and skillfully convey one’s emotions. 
• Organizational awareness: The CAE will need to secure the buy-in of senior management and affected functions to implement change. 
• Honesty and transparency: Dishonesty about motives for or impacts of change can undermine the process of implementing changes. 

• Strong communication skills: Managers must be able to explain the problem that made change necessary, the reason why this solution is the best response, and how the change will be implemented. Essentially, managers should be able to listen. Through good communication, managers make those affected part of the change. They can explain impacts and propose their ideas. In this way, the group begins to welcome the change and becomes more invested in its successful application. 

• Monitoring implementation: The implementation of the change must be monitored to identify and remove obstacles as they arise. 

• Motivational skills: Change requires the members of the organization to leave the comfort and security of the familiar. Managers should look for opportunities to recognize and reward progress, and they should be ready with encouragement and reminders about an initiative’s goal when progress is difficult.

Through possession of these skills, the auditor can become a facilitator for change. However, it is only possible if the auditor has no conflict of interest or management responsibility for the areas under consideration.

Build and Maintain Network with Other Organization Executives and the Audit Committee

While the board values assurance of controls and risk management, senior management and executives are looking for information and changes that can help them achieve their business objectives. Delivering these values to distinct stakeholders requires diverse organizational conditions and internal auditing capabilities.

• The function needs to be able to deliver critical assessments of performance without fear of organizational repercussions. It must be able to adjust audit forecast if issues emerge.
• Internal audit must be familiar with the organization’s business, its strategy and objectives, the processes of the functions being audited, the competitive pressures on the business, and practical limitations on the audit client’s potential to carry out internal auditing’s proposals. 
• The audit plan should be aligned with the organization’s strategy and objectives. Recommendations must aim at root causes and suggest cost-effective controls. Understanding the organization’s business also includes seeing the organization as an enterprise, comprising multiple and interdependent functions and processes. Internal auditing should monitor all risks within the entity.
• The internal auditors must have good knowledge of information technology tools for data collection and analysis.
• The internal audit must be able to show management that investment in the internal audit function is merited. This may be through reporting any increase in productivity, increases in quality, lower purchasing costs, or decreases in waste or losses due to internal audit findings.

These capabilities will be beneficial for internal auditors as the path to understanding stakeholder expectations is also the path to building a stronger network of relationships within the organization. 

The Chief Audit Executive and his or her team should have value for the organization in mind. They should nurture instrumental relations, build bonds, and work toward shared goals. This makes the work of the internal auditor much easier as the auditee becomes trusting of the auditor and shares information with the auditor more freely.

Trust can also be developed using various other means such as connecting with the client over a meal and maintaining an overall honest and integral behavior. It can also involve courtesy gestures like during initial contact with audit clients. The audit manager should discuss what each side—auditor and audit client – needs to succeed and how the audit can assist in delivery to the needs of each. 

Organize and Lead a Team in Mapping, Analysis, and Business Process Improvement

In a strategically managed organization, internal auditing may be involved in assuring the operational efficiency and effectiveness of specific processes or functions. Chief Audit Executives should be familiar with the discipline of business process improvement and the methodologies and tools used to describe, analyze, and improve the efficiency, effectiveness, and quality outcome of processes.

Business process development, or operational auditing, aids both the organization and internal auditing. For organizations, business process development provides a transparent picture or map of the steps in a process and the time, employees, technology and tools, and material resources required at every step. Maps can also be utilized to spot inefficiencies (such as time lost while holding back for materials to be transported from a warehouse to the manufacturing location) or to identify where in the process and why quality problems are arising.

The process map can be a benchmark and monitoring tool for successful processes or a diagnostic tool for problematic ones. In addition, process mapping can support employee development and staffing by more accurately identifying the number of workers needed, specific responsibilities for each position, and the skills each position requires.

For internal auditing, operational auditing gives a chance to deliver and show value to the board and senior management by assessing and reporting the organization’s key performance indicators. It also provides an opportunity for auditing staff to learn the organization’s business processes in greater depth. 

Assess and Foster the Ethical Climate of the Board and Management

History has highlighted that a strategy of simply hoping people will act ethically and relying on periodic admonitions to “always act ethically” does not always give great success. A carefully planned approach that starts at the top and cascades throughout the organization can create a culture in which people are committed to core organizational values and ethics.

Visible and vocal adherence from the board and management is an essential requirement for organizational ethics compliance. The board and management should model this commitment in their actions, the values they adopt, and actions they take for the organization.

The level and nature of risks related to an organization’s ethical climate vary by the type of business, internal and external pressures, and culture. An organization’s culture may determine the extent to which ethical values and policies are followed, ignored, or modified for convenience. It is the responsibility of internal auditing to create a transparent picture of the current ethical environment and suggest controls designed to sustain or improve it.

Internal auditors can judge the ethical environment of an organization through various actions including: 

• Evaluating the completeness of ethics policies and codes—whether the organization’s policies and codes include appropriate subjects and guidance;
• Reviewing the adequacy of positive personnel practices in supporting an ethical climate; 
• Determining whether appropriate communications are occurring and if employees and other stakeholders understand the information; 
• Evaluating how well employees truly embrace the message and determining if there are explicit strategies to improve the ethical culture (for example: regular programs to update and renew the organization’s adherence to an ethical culture); 
• Evaluating the effectiveness of the processes established to enable employees to communicate concerns regarding inappropriate behavior to management or the board such as a whistle-blower process;
• Determining if the appropriate process exists to ensure that allegations of misconduct are investigated, findings are properly reported, and corrective action is taken to improve controls; and
• Evaluating board oversight responsibilities and board monitoring activities.

Non-traditional assessment tools may be required to evaluate the ethical environment also. These tools can include: 

• Employee surveys and compliance forms such as annual reports of financial dealings that might constitute a conflict of interest. Internal auditing can perhaps work with human resources to include questions related to ethics and governance in annual employee surveys; and
• Informal and continual networking of the chief audit executive and staff throughout the organization, which allows for observation of behaviors and attitudes.

The internal auditor’s involvement in ethics will vary. In some organizations, internal auditors may even be at the level of serving as the primary driver behind all the ethics-related initiatives.

Educate Senior Management and the Board on Best Practices in Governance, Risk Management, Control, and Compliance

Educating the board and senior management on best practices in governance, control, and compliance may be seen as part of how internal auditing adds value to the organization.

Board and senior management may be educated by:

• Facilitating workshops designed to identify emerging risks associated with the organization’s business environment and
• Presenting at the board meeting on best practices in governance and risk management as practiced in peer organizations.

Communicate Internal Audit Key Performance Indicators to Senior Management and the Board regularly

To perform its role in assuring governance, risk management, and operational effectiveness and efficiency, the internal audit activity must assure its efficiency and effectiveness and report its performance to senior management and the board at agreed gaps. 

Care must be taken to identify appropriate performance measures. These measures are aligned to the organization’s objectives and the internal audit charter. They target performance necessary to meet activity objectives. Generally, the following steps are used in establishing an effective performance measurement process:

• Define internal audit effectiveness in line with the applicable standards, code of ethics, and applicable laws and regulations
• Identify key stakeholders (both internal and external). Internal stakeholders may comprise the board or audit committee, senior management, operations and support management, and internal auditors. External stakeholders may include regulators and standard-setting bodies, external auditors, third-party vendors, and customers. Detailed interviews and surveys can be organized to develop a comprehensible understanding of the requirements and expectations of every stakeholder.
• Once the stakeholders are identified, now the key performance indicators can be identified. The performance indicators (KPIs) focus on accomplishments or behaviors that are valued by the organization. They are appropriate indicators of performance and are comprehensible to the internal audit workforce who utilize them to guide and enhance their performance.  

A balanced scorecard approach can be used to make specific KPIs. A balanced scorecard examines performance from four distinct views: financial needs, customer satisfaction, business processes needed to accomplish the activity’s mission, and learning and growth needed to ensure continuous improvement.

The Chief Audit Executive must ensure that performance against agreed KPIs is monitored, considered as the basis for quality improvement, and reported at a frequency agreed with the board and senior management—for example, quarterly—and in the way desired by stakeholders such as through presentations, automated dashboard, or e-mails.

Coordinate Internal Auditing Efforts with External Auditor, Regulatory Oversight Bodies, and Other Internal Assurance Functions

The internal auditing activity may be involved in coordinating with and helping both internal and external groups occupied in assuring acceptance with laws and regulations or with organizational policies. These groups could include other functions within the organization such as quality assurance or regulatory affairs.

They could also be external groups such as regulatory agencies and external auditors. The goal is to support a level of accuracy, transparency, and integrity consistent with good governance. In addition, internal auditing should seek ways to make its work more efficient through coordination with these other groups.

Though it must be noted that the coordination is not limited to external auditors only. Given the growing value of the work of internal auditors, they often must coordinate with other regulatory bodies and internal assurance providers. Internal assurance providers include but are not limited to security, safety, enterprise risk management, quality control, and compliance.

While coordinating with external auditors, organizations may also use the work of external auditors to give assurance related to activities that are in the domain of internal auditing. In these scenarios, the chief audit executive initiates the steps required to comprehend the work performed by the external auditors including the nature, timing, and extent of work planned by external auditors. Internal auditors are responsible for respecting the privacy of those programs and documentation.

On the other hand, the external auditor may rely on the work of the internal audit activity also in performing their work. In this case, the Chief Audit Executive needs to provide sufficient information to enable external auditors to understand the internal auditors’ techniques, methods, and terminology to facilitate reliance by external auditors on work performed.

Access to the internal auditors’ programs and documentation is given to external auditors for external auditors to be satisfied as to the acceptability for external audit purposes of relying on the internal auditors’ work.

Practical examples demonstrating the coordination of internal audit activity efforts with external auditors include: 

• Comparing annual internal and external audit plans to eliminate duplication and encourage cooperation in the performance of an audit activity where appropriate;

• The enterprise-wide agreement so that results of activities (final reports, for example) are shared to help the organization achieve objectives and eliminate risks; and

• Communication/sharing external audit perspective on risk management, control, and governance processes with the internal audit activity to help with internal audit planning.

Good coordination between internal and external auditors will reap the benefits of economy, efficiency, and effectiveness. As duplication will be avoided and more focus on matters that are unattended by the other party can be laid on.

Assess Adequacy of the Performance Measurement System and Achievement of Organizational Objectives

Internal auditors must analyse the organization’s performance measurement system and whether the central corporate objectives are being accomplished. The basic considerations in assessing performance are identifying related standards for performance, comparing the performance to the identified standard, and evaluating performance gaps (deviations or variances from the standard). Further, required corrective actions should be specified and completed promptly. 

The most common weaknesses in performance measurement systems involve using the wrong key performance indicators. The chief audit executive should review the activity performance measurement system regularly to ensure that internal audit key performance indicators are still aligned with the organization’s strategic objectives and most recent risk assessment.

For example, if a manufacturer sets in place a strategy to distinguish itself in its market through innovative products built on resource-intensive research and development programs, the CAE may expand or shift the activity’s focus area from auditing controls on operational efficiency to auditing controls on the security of proprietary information. The CAE should also consider whether the organization is meeting its goals, possible reasons for performance gaps, and the role internal auditing could play in addressing these gaps. For example, if a credit card company has not been able to lower users’ default rates, the CAE might include in the internal auditing activity’s key performance indicators performance objectives related to identifying lapses in procedures for approving credit.

Final Thoughts

The most significant distinction between an internal and external auditor is the type of information managed. As an internal auditor, you are responsible for the overall management of information, primarily non-financial information. It is your job as a hired external auditor to examine the financial condition or business dealings, as well as compliance with various laws within the industry. Understanding the functionality of each type of external auditor as an internal auditor helps one better prepare for the documentation and requirements when an audit is required.